Alerting

how to limit events returned at the same time based on the field "logon_type"

massumtaqi
New Member

I am trying to limit the events returned or number of alerts triggered at the same time or within 5 seconds if the filed "logon_type" shows same in all events.

I want to check that condition if that meets , i.e Logon_Type="!7" within 5 seconds, trigger the alert once regardless of however many kicks in. So, For example, If the logon type is 3 then only one event should show.

0 Karma

massumtaqi
New Member

EventCode=4624
| rex "(?ms)Logon Type:...(?\w+)"
| rex "(?ms)New Logon:\s+Security ID:..(?[AEW]+.\w+.\w+)"
| where Logon_Type="3" AND (Logon_Type!="10" OR Logon_Type!="2")
| where (like (Login_Security_ID,"%mtaqi.a%"))
| where Logon_GUID!="{00000000-0000-0000-0000-000000000000}"

It shows multiple events with login type 3 when i rdp into a server . i want to limit that to 1. How can i do that?

0 Karma

Sukisen1981
Champion

Have you thought about doing it through a single alert? For example , say logon type 3 occurs 2 times during a 5 second interval and log on type 4 occurs once within the same 5 second interval, your single alert should contain a result with column header (say logon_type) with 2 row entries 1 each for types 3 and 4.
Without looking at your alert search it could be something like this - |where Logon_Type !="7" | dedup Logon_Type| table _time,Logon_Type

0 Karma

massumtaqi
New Member

IT works thanks however, i keep getting one email of logon type 3 every few minutes (not constant , 10 min , 20 min) while i am rdp into the server and not doing anything just logged in basically. how do i stop that concurrent emails as i need one email only when i use my login credential initially. Thanks again!

0 Karma

Sukisen1981
Champion

Hi that is more of your alert search issue...we need to look at your events and see what search you are executing to generate the alert

0 Karma

massumtaqi
New Member

EventCode=4624
| rex "(?ms)Logon Type:...(?\w+)"
| rex "(?ms)New Logon:\s+Security ID:..(?[AEW]+.\w+.\w+)"
| where (like (Login_Security_ID,"%mtaqi.a%"))
| where Logon_GUID!="{00000000-0000-0000-0000-000000000000}"
| where Logon_Type="3" AND (Logon_Type!="10" OR Logon_Type!="2")
| dedup Logon_Type

This is what is am trying to execute because i want to be alerted when my admin account (.a) is used. When i log in to the server and stay in and do nothing , the event triggers every 5 to 20 minutes on logon type 3 that i dont want, as i want to be alerted only once

For example, if my .a account is used to run a script that would create another .a account without actually logging in or RDP in to the sever, i should be alerted once with logon type 3. Therefore, i put where clause on logon type 3 if there is no preceding logon type 2 or 10.

Please advise!

0 Karma

woodcock
Esteemed Legend

Your question is very unclear but there is a throttling mechanism in the save dialog that has many options, including checking recent field values. If you need more direct control, you can add | outputlookup alert_tracking.csv and save this as a simple report and have another search which is the actual alert start with |inputlookup alert_tracking.csv followed by the throttling logic that you need.

0 Karma

massumtaqi
New Member

Thanks for you response but am looking for what i mentioned in above comment with sukisen. I appreciate your response though!

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...